All you need to know – from ports to samples

Special report The WannaCrypt ransomware worm, aka WanaCrypt or Wcry, today exploded across 74 countries, infecting hospitals, businesses including Fedex, rail stations, universities, at least one national telco, and more organizations.

In response, Microsoft has released emergency security patches to defend against the malware for unsupported versions of Windows, such as XP and Server 2003, as well as modern builds.

To recap, WannaCrypt is installed on vulnerable Windows computers by a worm that spreads across networks by exploiting a vulnerability in Microsoft's SMB file-sharing services. It specifically abuses a bug designated MS17-010 that Redmond patched in March for modern versions of Windows, and today for legacy versions – all remaining unpatched systems are therefore vulnerable and can be attacked.

This bug was, once upon a time, exploited by the NSA to hijack and spy on its targets. Its internal tool to do this, codenamed Eternalblue, was stolen from the agency, and leaked online in April – putting this US government cyber-weapon into the hands of any willing miscreant. Almost immediately, it was used to hijack thousands of machines on the internet.

Now someone has taken that tool and strapped it to ransomware: the result is a variant of WannaCrypt, which spreads via SMB and, after landing on a computer, encrypts as many files as it can find. It charges $300 or $600 in Bitcoin to restore the documents. It is adept at bringing offices and homes to a halt by locking away their data.

And it installs Doublepulsar, a backdoor that allows the machine to be remotely controlled. That's another stolen NSA tool leaked alongside Eternalblue. The malware is also controlled via the anonymizing Tor network by connecting to hidden services to receive further commands from its masters.

Fortunately, a kill switch was included in the code. When it detects that a particular web domain exists, it stops further infections. That domain was created earlier today by a UK infosec bod, who spotted the dot-com in the reverse-engineered binary; that registration was detected by the ransomware, which immediately halted its worldwide spread.

Connections to the magic domain – iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com – were sinkholed to a server in California, and the admins of infected systems reaching out to the dot-com will be notified, we're told. "IP addresses from our sinkhole have been sent to FBI and ShadowServer so affected organisations should get a notification soon," said the researcher. The infosec bod admitted they registered the domain first, then realized it was a kill switch. Still, job done.

Here are some quick links to much more technical details we've gathered:

An exploit for MS17-010 written in Python with example shellcode. This is based on the Eternalblue tool stolen from the NSA, and was developed by infosec biz RiskSense. It reveals that the SMB server bug is the result of a buffer overflow in Microsoft's code. A 32-bit length is subtracted into a 16-bit length, allowing an attacker to inject more data than they should into the networking service and ultimately hijacking the system. Disabling SMBv1 disables the bug, and is recommended in any case. You should also firewall off SMB ports 139 and 445 from the outside world, and restrict access to the service where possible on internal networks.

You can track infections in real time, here. There are at least 104,000 identified infected hosts worldwide.

The software nasty has today ransacked the UK's national healthcare service, forcing hospitals to shut down to non-emergency patients; torn through Spanish telco Telefónica; and many other organizations. In what is looking like one of the biggest malware attacks in recent memory, the bulk of the infections are in Russia – including the state's interior ministry; the virus has claimed high-profile targets around the world.

♪ Been around the world and I–I–I, I can't find my data ... Source: Kaspersky Lab

We're told 16 NHS health trusts in the UK were taken out by the malware. Prime Minister Theresa May said the code "has crippled" Brit hospitals, and that Blighty's surveillance nerve center GCHQ is looking into the outbreak.

Computers were locked in Aintree, Blackpool, Broomfield Hospital in Essex, Colchester General Hospital, all hospital systems in Derbyshire, Great Yarmouth, East and North Hertfordshire, James Paget hospital in Norfolk, Lanarkshire, and Leicester.

US companies have also been hit. FedEx told The Reg: "Like many other companies, FedEx is experiencing interference with some of our Windows-based systems caused by malware. We are implementing remediation steps as quickly as possible. We regret any inconvenience to our customers." Essentially, staff have been told to turn off their non-critical systems, and to keep it that way until the mess is cleaned up – which could take the whole weekend, or longer.

Meanwhile, Scottish Power was also reported as hit, but it told us that it just took down some non-essential systems as a precaution. Germany's rail system was infected, it appears.

To counter the spread of the malware, security firms pushed out file and network traffic signatures to detect the ransomware-worm hybrid's presence and kill it. Microsoft was quick off the ball, emitting signatures for the malware for its systems.

"Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt," a Microsoft spokesperson told The Reg.

"In March, we provided a security update which provides additional protections against this potential attack. Those who are running our free antivirus software and have Windows Update enabled, are protected. We are working with customers to provide additional assistance.”

NSA exposure puts us all at risk

As described above, the worm uses the EternalBlue and DoublePulsar exploits swiped from the NSA's arsenal of hacking tools. It would have been great if the bugs targeted by the agency had been patched years ago; instead, they were fixed by Microsoft in March just before the Shadow Brokers dumped the programs online in April. We assume either the NSA or the brokers tipped off the Redmond giant so that updates to kill off the SMB bug could be pushed out before the exploits publicly leaked.

So, yes, Microsoft issued security fixes to address the vulnerabilities attacked by those cyber-weapons, but as is the way with users and IT departments big and small, not everyone has patched, or can patch, and are now paying the price. The initial infection point may have been spear-phishing emails, thrown at people within organizations, with the malware hidden in attachments that, when opened, trigger a cyber-contagion on the internal network. The malware is a hybrid design that has a worm element, allowing it to spread through internal structures for maximum effect. The exact initial infection method has not been confirmed, though.

According to an analysis by Payload Security, the malware drops a number of programs on the system, including Tor, and adds itself to the Windows Registry so it persists across reboots. It can fetch software modules to gain new abilities, and uses various techniques to hinder reverse-engineering: decrypted samples of the executables are available from the above links.

The code encrypts a wide variety of documents on a computer, including any attached storage, and snatches any keys for remote-desktop access. It deletes volume snapshots, and disables system repair tools. It also scans the infected system's settings to work out the user's language, and pulls up a ransom demand in the correct lingo for the victim. It changes the desktop backdrop, too, to grab the victim's attention.

According to a study by Kaspersky, it appears the malware controllers are getting greedier as infection rates grow. The initial infections asked for $300 worth of Bitcoin, however later infection notices have upped this price to $600. A check on the Bitcoin strings show a few thousand dollars' worth of Bitcoin have already been sent to the criminals.

"We have recorded more than 45,000 attacks of the WannaCry ransomware in 74 countries around the world, mostly in Russia," said Kaspersky's research team.

"It’s important to note that our visibility may be limited and incomplete and the range of targets and victims is likely much, much higher."

What is to be done?

This is just the first wave: there is nothing stopping someone from making a new worm that attacks the MS17-010 bug to silently compromise vulnerable systems, or adapting the WannaCrypt binaries to cause more damage.

So, what's the solution? If you're already infected then there's not a lot you can do other than wipe the system and reinstall from offline unaffected backups – if you have them.

It's possible that the malware writers will have screwed up and put the decryption key in the code itself – such slip-ups have happened in the past. Researchers are picking the code apart byte by byte trying to find such clues, but this looks like a reasonably sophisticated piece of software so that's a long shot.

If you haven't been infected, make sure your security patches are up to date. Kill off SMBv1 at the very least, and block access to it from outside your network. The exploits the malware uses have already been patched, and there's no excuse for getting caught out as a private user. It's understandable that IT managers with annoying corporate policies and heavy workloads have been forced to hold back patches, or are unable to apply them. If you can update your installations, drop everything and get patching.

And we'd sure appreciate it if you could stop clicking on attachments from unknown parties, too. ®